|
WebApp Sec
mailing list archives
Re: "Forgot Password" function
From: "Kevin Spett" <kspett () spidynamics com>
Date: Sun, 20 Oct 2002 21:19:39 -0400
The simple solution to this problem is to actually generate a new
password for the user and email them that instead and force them to
change it on the first login. That achieves a few security goals:
This does nothing to defend against the scenario I wrote about earlier in
this thread. You can read it here:
http://archives.neohapsis.com/archives/sf/www-mobile/2002-q4/0020.html
To reiterate, unencrypted email offers no garauntee of privacy or
authenticity.
Kevin Spett
SPI Labs
http://www.spidynamics.com/
 By Date 
By Thread
Current thread:
- Re: Password Recovery (long) was Re: "Forgot Password" function, (continued)
RE: "Forgot Password" function wsmith (Oct 18)
RE: "Forgot Password" function Matthew_Chalmers (Oct 19)
RE: "Forgot Password" function William Bartholomew (Oct 20)
- Re: "Forgot Password" function Kevin Spett (Oct 20)
| 
Intro
